It’s 5am, I haven’t slept. A critical ASP.NET security update is being issued out-of-band today. Immediately, I sprung into “what the hell, Microsoft?” mode, given our government (US-CERT) indicated Microsoft was contacted about this back on November 1. (And the fact I have to worry about ChevronWP7 Labs on Azure and our product at work.) I went as far as to complain on Twitter, my channel of choice. But a few Microsoft folks pinged me, forcing me to do some fact checking.
Yep. I should’ve known not to blindly trust what was on US-CERT, sigh.
Upon inspection of the actual disclosure one area jumped out at me:
Vendor communication:
2011/11/01 Coordinated notification to PHP, Oracle, Python, Ruby, Google
via oCERT2011/11/29 Coordinated notification to Microsoft via CERT
Yep. These guys waited an arbitrary 30 days (in reality, less) before publishing it to the world. Never mind that this issue affected Microsoft .NET Framework 1.0 and up. Never mind that this framework has been built into Windows since Windows XP. Never mind patches for all these platforms have to be engineered and tested. Never mind it’s the fucking holidays and people have families they’re spending time with. Never mind this doesn’t just affect ASP.NET but also web frameworks written in Java, Python, Ruby, PHP, and JavaScript (think node).
I couldn’t find a shred of evidence to suggest this flaw was being exploited by malicious actors or that the information was discovered by other folks – possible reasons that would have explained such a disclosure. This appears to just be a classic case of dirtbagery.
Here’s how the adults handle this, take notes guys:
